/// <summary>
/// 过滤不安全的字符串
/// </summary>
/// <param name="Str"></param>
/// <returns></returns>
public static string FilteSQLStr( string Str)
{
Str = Str.Replace( " ' " , "" );
Str = Str.Replace( " /" " , "" );
Str = Str.Replace( " & " , " & " );
Str = Str.Replace( " < " , " < " );
Str = Str.Replace( " > " , " > " );
Str = Str.Replace( " delete " , "" );
Str = Str.Replace( " update " , "" );
Str = Str.Replace( " insert " , "" );
return Str;
}
2.
#region 过滤 Sql 语句字符串中的注入脚本
/// <summary>
/// 过滤 Sql 语句字符串中的注入脚本
/// </summary>
/// <param name="source"> 传入的字符串 </param>
/// <returns> 过 滤后的字符串 </returns>
public static string SqlFilter( string source)
{
// 单引号替换成两个单引号
source = source.Replace( " ' " , " '' " );
// 半角封号替换为全角封号,防止多语句执行
source = source.Replace( " ; " , " ; " );
// 半角括号替换为全角括号
source = source.Replace( " ( " , " ( " );
source = source.Replace( " ) " , " ) " );
/////////////// 要用正则表达式替换,防止字母大小写得情况 ////////////////// //
// 去除执行存储过程的命令关键字
source = source.Replace( " Exec " , "" );
source = source.Replace( " Execute " , "" );
// 去除系统存储过程或扩展存储过程关键字
source = source.Replace( " xp_ " , " x p_ " );
source = source.Replace( " sp_ " , " s p_ " );
// 防止16进制注入
source = source.Replace( " 0x " , " 0 x " );
return source;
}
#endregion
3.
/// 过滤SQL字符。
/// </summary>
/// <param name="str"> 要过滤SQL字符的字符串。 </param>
/// <returns> 已过滤掉SQL字符的字符串。 </returns>
public static string ReplaceSQLChar( string str)
{
if (str == String.Empty)
return String.Empty; str = str.Replace( " ' " , " ‘ " );
str = str.Replace( " ; " , " ; " );
str = str.Replace( " , " , " , " );
str = str.Replace( " ? " , " ? " );
str = str.Replace( " < " , " < " );
str = str.Replace( " > " , " > " );
str = str.Replace( " ( " , " ( " );
str = str.Replace( " ) " , " ) " );
str = str.Replace( " @ " , " @ " );
str = str.Replace( " = " , " = " );
str = str.Replace( " + " , " + " );
str = str.Replace( " * " , " * " );
str = str.Replace( " & " , " & " );
str = str.Replace( " # " , " # " );
str = str.Replace( " % " , " % " );
str = str.Replace( " $ " , " ¥ " );
return str;
}
4.
/// <summary>
/// 过滤标记
/// </summary>
/// <param name="NoHTML"> 包括HTML,脚本,数据库关键字,特殊字符的源码 </param>
/// <returns> 已经去除标记后的文字 </returns>
public string NoHtml( string Htmlstring)
{
if (Htmlstring == null )
{
return "" ;
}
else
{
// 删除脚本
Htmlstring = Regex.Replace(Htmlstring, @" <script[^>]*?>.*?</script> " , "" , RegexOptions.IgnoreCase);
// 删除HTML
Htmlstring = Regex.Replace(Htmlstring, @" <(.[^>]*)> " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" ([/r/n])[/s]+ " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" --> " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" <!--.* " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" &(quot|#34); " , " /" " , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" &(amp|#38); " , " & " , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" &(lt|#60); " , " < " , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" &(gt|#62); " , " > " , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" &(nbsp|#160); " , " " , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" &(iexcl|#161); " , " /xa1 " , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" &(cent|#162); " , " /xa2 " , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" &(pound|#163); " , " /xa3 " , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" &(copy|#169); " , " /xa9 " , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @" &#(/d+); " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " xp_cmdshell " , "" , RegexOptions.IgnoreCase);
// 删除与数据库相关的词
Htmlstring = Regex.Replace(Htmlstring, " select " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " insert " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " delete from " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " count'' " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " drop table " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " truncate " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " asc " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " mid " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " char " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " xp_cmdshell " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " exec master " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " net localgroup administrators " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " and " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " net user " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " or " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " net " , "" , RegexOptions.IgnoreCase);
// Htmlstring = Regex.Replace(Htmlstring, "*", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " - " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " delete " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " drop " , "" , RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " script " , "" , RegexOptions.IgnoreCase);
// 特殊的字符
Htmlstring = Htmlstring.Replace( " < " , "" );
Htmlstring = Htmlstring.Replace( " > " , "" );
Htmlstring = Htmlstring.Replace( " * " , "" );
Htmlstring = Htmlstring.Replace( " - " , "" );
Htmlstring = Htmlstring.Replace( " ? " , "" );
Htmlstring = Htmlstring.Replace( " ' " , " '' " );
Htmlstring = Htmlstring.Replace( " , " , "" );
Htmlstring = Htmlstring.Replace( " / " , "" );
Htmlstring = Htmlstring.Replace( " ; " , "" );
Htmlstring = Htmlstring.Replace( " */ " , "" );
Htmlstring = Htmlstring.Replace( " /r/n " , "" );
Htmlstring = HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();
return Htmlstring;
}
}
5.
; i < pattern.Length; i ++ )
{
str = str.Replace(pattern[i].ToString(), "" );
}
return str;
}